Skip to content

Commit

Permalink
feat(core): Limit user invites when SAML is enabled (#5761)
Browse files Browse the repository at this point in the history 
limit user invites when saml is enabled
  • Loading branch information
@flipswitchingmonkey
flipswitchingmonkey committed Mar 23, 2023
1 parent b0cfd69 commit 57748b7
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 6 deletions.
14 changes: 8 additions & 6 deletions packages/cli/src/controllers/users.controller.ts
View file
Expand Up @@ -13,7 +13,6 @@ import {
getInstanceBaseUrl,
hashPassword,
isEmailSetUp,
isUserManagementEnabled,
sanitizeUser,
validatePassword,
withFeatureFlags,
Expand All @@ -35,6 +34,8 @@ import type {
import type { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
import { AuthIdentity } from '@db/entities/AuthIdentity';
import type { PostHogClient } from '@/posthog';
import { userManagementEnabledMiddleware } from '../middlewares/userManagementEnabled';
import { isSamlLicensedAndEnabled } from '../sso/saml/samlHelpers';

@RestController('/users')
export class UsersController {
Expand Down Expand Up @@ -98,14 +99,15 @@ export class UsersController {
/**
* Send email invite(s) to one or multiple users and create user shell(s).
*/
@Post('/')
@Post('/', { middlewares: [userManagementEnabledMiddleware] })
async sendEmailInvites(req: UserRequest.Invite) {
// TODO: this should be checked in the middleware rather than here
if (!isUserManagementEnabled()) {
if (isSamlLicensedAndEnabled()) {
this.logger.debug(
'Request to send email invite(s) to user(s) failed because user management is disabled',
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
);
throw new BadRequestError(
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
);
throw new BadRequestError('User management is disabled');
}

if (!this.config.getEnv('userManagement.isInstanceOwnerSetUp')) {
Expand Down
12 changes: 12 additions & 0 deletions packages/cli/src/middlewares/userManagementEnabled.ts
View file
@@ -0,0 +1,12 @@
import type { RequestHandler } from 'express';
import { LoggerProxy } from 'n8n-workflow';
import { isUserManagementEnabled } from '../UserManagement/UserManagementHelper';

export const userManagementEnabledMiddleware: RequestHandler = (req, res, next) => {
if (isUserManagementEnabled()) {
next();
} else {
LoggerProxy.debug('Request failed because user management is disabled');
res.status(400).json({ status: 'error', message: 'User management is disabled' });
}
};

0 comments on commit 57748b7

Please sign in to comment.